Awesome Open Source
Awesome Open Source

Dumproid

GitHub release License: MIT

Dumproid is Android process memory dump tool without ndk. It is dumping memory from /proc/<pid>/mem.

Installation

Download the binary from GitHub Releases and push it to android using adb.

$ adb push dumproid /data/local/tmp/dumproid

How to Build

You need Go 1.13 compiler. After the build is complete, if adb is connected, place the built binary in /data/local/tmp/ on Android.

$ make
GOOS=linux GOARCH=arm64 GOARM=7 go build -o dumproid
/bin/sh -c "adb push dumproid /data/local/tmp/dumproid"
dumproid: 1 file pushed. 24.1 MB/s (4977746 bytes in 0.197s)

Usage

Start-up

When android device is rooted:

$ adb shell
$ su
# /data/local/tmp/dumproid -p <PID> <some option>
               
██████╗ ██╗   ██╗███╗   ███╗██████╗ ██████╗  ██████╗ ██╗██████╗
██╔══██╗██║   ██║████╗ ████║██╔══██╗██╔══██╗██╔═══██╗██║██╔══██╗
██║  ██║██║   ██║██╔████╔██║██████╔╝██████╔╝██║   ██║██║██║  ██║
██║  ██║██║   ██║██║╚██╔╝██║██╔═══╝ ██╔══██╗██║   ██║██║██║  ██║
██████╔╝╚██████╔╝██║ ╚═╝ ██║██║     ██║  ██║╚██████╔╝██║██████╔╝
╚═════╝  ╚═════╝ ╚═╝     ╚═╝╚═╝     ╚═╝  ╚═╝ ╚═════╝ ╚═╝╚═════╝

When the target app is debuggable and android device is not rooted:

$ adb shell
$ pm list packages # to check <target-package-name>
# run-as <target-package-name>
# cp /data/local/tmp/dumproid ./dumproid
# ./dumproid <some option>
               
██████╗ ██╗   ██╗███╗   ███╗██████╗ ██████╗  ██████╗ ██╗██████╗
██╔══██╗██║   ██║████╗ ████║██╔══██╗██╔══██╗██╔═══██╗██║██╔══██╗
██║  ██║██║   ██║██╔████╔██║██████╔╝██████╔╝██║   ██║██║██║  ██║
██║  ██║██║   ██║██║╚██╔╝██║██╔═══╝ ██╔══██╗██║   ██║██║██║  ██║
██████╔╝╚██████╔╝██║ ╚═╝ ██║██║     ██║  ██║╚██████╔╝██║██████╔╝
╚═════╝  ╚═════╝ ╚═╝     ╚═╝╚═╝     ╚═╝  ╚═╝ ╚═════╝ ╚═╝╚═════╝

Dump memory

Dump To File

Permissions like rwxs can be specified as a filter. By default, files are dumped under /data/local/tmp/.

sargo:/ # /data/local/tmp/dumproid -q -p 24264 --filter rw-p 
Output Dir: /data/local/tmp/20200315194818
  Dump File: 12c00000-131c0000__dev_ashmem_dalvik-main_space_(region_space)_(deleted)
  Dump File: 13340000-2ac00000__dev_ashmem_dalvik-main_space_(region_space)_(deleted)
  Dump File: [email protected]@boot.art
  Dump File: [email protected]@boot-core-libart.art
  Dump File: [email protected]@boot-conscrypt.art
  Dump File: [email protected]@boot-okhttp.art
  Dump File: [email protected]@boot-bouncycastle.art
  Dump File: [email protected]@boot-apache-xml.art
  Dump File: [email protected]@boot-ext.art
  Dump File: [email protected]@boot-framework.art
  Dump File: [email protected]@boot-telephony-common.art
  Dump File: [email protected]@boot-voip-common.art
  Dump File: [email protected]@boot-ims-common.art
  Dump File: [email protected]@boot-android.hidl.base-V1.0-java.art
  Dump File: [email protected]@boot-android.hidl.manager-V1.0-java.art
  Dump File: [email protected]@boot-framework-oahl-backward-compatibility.art
  Dump File: [email protected]@boot-android.test.base.art
  Dump File: 70365000-70366000_[anon:.bss]
  Dump File: 707e5000-707e6000__system_framework_arm_boot.oat

Transfer dumped files to your PC using adb pull:

$ adb pull /data/local/tmp/20200315194818 
/data/local/tmp/20200315194818/: 736 files pulled. 30.0 MB/s (583184384 bytes in 18.552s)

Print hexdump

Use the dump option to display memory like a hexdump.

sargo:/ # /data/local/tmp/dumproid -q -p 24264 -a 0xf0c9e000 --dump                                                                                                         
00000000  00 40 00 00 d0 60 b7 f0  01 00 00 00 14 71 b7 f0  |[email protected]`.......q..|
00000010  2d 33 bf f0 00 00 00 00  00 00 00 00 1c e0 c9 f0  |-3..............|
00000020  2f 73 79 73 74 65 6d 2f  62 69 6e 2f 6c 69 6e 6b  |/system/bin/link|
00000030  65 72 00 00 1d 00 00 00  02 00 00 00 00 10 00 00  |er..............|
00000040  40 e0 c9 f0 40 e0 c9 f0  35 d7 c2 f0 4c e0 c9 f0  |@[email protected]|
00000050  4c e0 c9 f0 00 00 00 00  00 00 00 00 ca 82 c8 f0  |L...............|
00000060  00 00 00 00 ff ff ff ff  00 00 00 00 e1 82 c8 f0  |................|
00000070  00 00 00 00 ff ff ff ff  00 00 00 00 95 26 c3 f0  |.............&..|
00000080  00 00 00 00 00 00 00 00  f3 82 c8 f0 00 00 00 00  |................|
00000090  ff ff ff ff fe 00 00 00  09 83 c8 f0 00 00 00 00  |................|
000000a0  ff ff ff ff fe 00 00 00  59 27 c3 f0 ac e0 c9 f0  |........Y'......|
000000b0  ac e0 c9 f0 27 28 c8 f0  79 27 c3 f0 b1 27 c3 f0  |....'(..y'...'..|
000000c0  d5 27 c3 f0 f1 27 c3 f0  f5 28 c3 f0 61 29 c3 f0  |.'...'...(..a)..|
000000d0  c9 29 c3 f0 4d 2a c3 f0  ad 2a c3 f0 0d 2b c3 f0  |.)..M*...*...+..|
000000e0  1d 2b c3 f0 99 2b c3 f0  e8 e0 c9 f0 e8 e0 c9 f0  |.+...+..........|
000000f0  f0 e0 c9 f0 f0 e0 c9 f0  f8 e0 c9 f0 f8 e0 c9 f0  |................|

Check memory mapping

Use the maps option to display memory mapping.

sargo:/ # /data/local/tmp/dumproid -q -p 24264 --maps --filter rw-p                                                                                                         
12c00000-131c0000 rw-p 00000000 00:05 23292                              /dev/ashmem/dalvik-main space (region space) (deleted)
13340000-2ac00000 rw-p 00740000 00:05 23292                              /dev/ashmem/dalvik-main space (region space) (deleted)
6f181000-6f3a6000 rw-p 00000000 fd:01 221                                /data/dalvik-cache/arm/[email protected]@boot.art
6f3bc000-6f4b3000 rw-p 00000000 fd:01 229                                /data/dalvik-cache/arm/[email protected]@boot-core-libart.art
6f4c5000-6f4f6000 rw-p 00000000 fd:01 232                                /data/dalvik-cache/arm/[email protected]@boot-conscrypt.art
6f4f9000-6f526000 rw-p 00000000 fd:01 235                                /data/dalvik-cache/arm/[email protected]@boot-okhttp.art
6f529000-6f57f000 rw-p 00000000 fd:01 240                                /data/dalvik-cache/arm/[email protected]@boot-bouncycastle.art
6f586000-6f5db000 rw-p 00000000 fd:01 250                                /data/dalvik-cache/arm/[email protected]@boot-apache-xml.art
6f5e2000-6f61d000 rw-p 00000000 fd:01 263                                /data/dalvik-cache/arm/[email protected]@boot-ext.art
6f628000-6fe2a000 rw-p 00000000 fd:01 270                                /data/dalvik-cache/arm/[email protected]@boot-framework.art
6fe8a000-6ff6c000 rw-p 00000000 fd:01 275                                /data/dalvik-cache/arm/[email protected]@boot-telephony-common.art
6ff7e000-6ff89000 rw-p 00000000 fd:01 278                                /data/dalvik-cache/arm/[email protected]@boot-voip-common.art
6ff8b000-6ffa0000 rw-p 00000000 fd:01 281                                /data/dalvik-cache/arm/[email protected]@boot-ims-common.art
6ffa2000-6ffa5000 rw-p 00000000 fd:01 284                                /data/dalvik-cache/arm/[email protected]@boot-android.hidl.base-V1.0-java.art
6ffa5000-6ffa9000 rw-p 00000000 fd:01 287                                /data/dalvik-cache/arm/[email protected]@boot-android.hidl.manager-V1.0-java.art
6ffab000-6ffac000 rw-p 00000000 fd:01 290                                /data/dalvik-cache/arm/[email protected]@boot-framework-oahl-backward-compatibility.art
6ffad000-6ffb0000 rw-p 00000000 fd:01 293                                /data/dalvik-cache/arm/[email protected]@boot-android.test.base.art
70365000-70366000 rw-p 00000000 00:00 0                                  [anon:.bss]
707e5000-707e6000 rw-p 003b4000 103:25 603                               /system/framework/arm/boot.oat
70967000-70968000 rw-p 00000000 00:00 0                                  [anon:.bss]
70c61000-70c62000 rw-p 00182000 103:25 601                               /system/framework/arm/boot-core-libart.oat
...

License

GPLv3 - GNU General Public License, version 3

Copyright (C) 2020 tkmru


Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Golang (167,993
Adb (3,230
Ndk (2,288
Android Device (1,244
Forensics (1,119
Android Security (117
Mobile Security (110